System for authentication center

ABSTRACT

This invention provides a system for authentication center, so that a user can manage centrally at the authentication center the statuses of the logins or the sessions by which the different terminals used by the user enter the user&#39;s accounts at different service parties.

TECHNICAL FIELD

This invention is about the systems or methods for authenticationcenter.

BACKGROUND

Nowadays people generally use multiple terminals to access internet, andoften use different terminals to login their own accounts at variouswebsites and online service providers. Many of these logins and sessionsare persistent, and even when the user closes the browser used by theuser or closes the terminal phone, the statuses of such logins orsessions is maintained, as are popular apps such as WeChat. This leadsto the problem that after the terminal is replaced (for example, a newcell phone), the original terminal still maintains the status of thelogin or the session by which the terminal enters the user account. Whenthe user uses the multiple terminals, it is hard to remember and managethe validation of the statuses of the logins or the sessions of thedifferent terminals. This creates a huge security loophole and hiddendanger, and now there is no network service to help users to centrallymanage their own accounts' login statuses.

SUMMARY

In view of the above security problems, this invention provides a systemfor authentication center to enable a user to manage centrally in oneauthentication center the statuses of the logins or sessions by whichthe different terminals used by the user enter the user's own accountsat different service providers. The details of this invention are asbelow.

A system or method for authentication center includes an authenticationcenter, service parties, users and terminals, and the terminal isconnected with the authentication center and the service party by anetwork and is capable of communicating with either, where the user hasthe user account AUID at the authentication center, and the user has theuser account APID at the service party, and the user is capable of usingthe terminal to establish the independent connection with theauthentication center and the service party respectively, and the useris capable of logining the AUID and the APID through the independentconnections, where the authentication center stores the correspondingrelationships between the AUID of a user and the user's APIDs at thedifferent service parties, where the service party sends the statuses ofthe logins or the sessions by which the different terminals used by auser enter the user's APID at the service party to the authenticationcenter, where after a user logins the AUID at the authentication centerby using the current terminal the authentication center is capable ofsending the statuses of the logins or the sessions by which thedifferent terminals used by the user enter the user's APIDs at differentservice parties to the current terminal used by the user, where on thecurrent terminal's interface which has logined the user's AUID at theauthentication center the user is capable of changing or stopping ordisabling the statuses of the logins or the sessions by which thedifferent terminals used by the user enter the user's APIDs at differentservice parties.

The terminal, the service party and the authentication center areconnected by internet.

The user is capable of seeing and set (change or stop or invalidate) onthe interface which has logined the AUID at the authentication centerthe statuses of the logins or the sessions by which the differentterminals used by the user enter the user's APID at the differentservice parties.

A system or method for authentication center includes an authenticationcenter, service parties, users and terminals, and the terminal isconnected with the authentication center and the service party through anetwork and is capable of communicating with either, where the user hasthe user account AUID at the authentication center, and the user has theuser account APID at the service party, and the user is capable of usingthe terminal to establish the independent connection with theauthentication center and the service party respectively, and the useris capable of logining the AUID and the APID through the independentconnections, where the authentication center stores the correspondingrelationships between the AUID of a user and the user's APIDs at thedifferent service parties, where a user is capable of setting at theauthentication center to permit or forbid the specific terminal to loginthe user's APID at the specific service party.

A system or method for authentication center includes an authenticationcenter, service parties, users and terminals, and the terminal isconnected with the authentication center and the service party through anetwork and is capable of communicating with either, where the user hasthe user account AUID at the authentication center, and the user has theuser account APID at the service party, and the user is capable of usingthe terminal to establish the independent connection with theauthentication center and the service party respectively, and the useris capable of logining the AUID and the APID through the independentconnections, where the authentication center stores the correspondingrelationships between the AUID of a user and the user's APIDs at thedifferent service parties, where a user is capable of setting at theauthentication center to forbid the terminal which is not registered inthe authentication center or not associated with the user's AUID at theauthentication center to login the user's APID at the specific serviceparty or the user's APIDs at all service parties.

A system or method for authentication center includes an authenticationcenter, service parties, users and terminals, and the terminal isconnected with the authentication center and the service party through anetwork and is capable of communicating with either, where the user hasthe user account AUID at the authentication center, and the user has theuser account APID at the service party, and the user is capable of usingthe terminal to establish the independent connection with theauthentication center and the service party respectively, and the useris capable of logining the AUID and the APID through the independentconnections, where the authentication center stores the correspondingrelationships between the AUID of a user and the user's APIDs at thedifferent service parties, where a user is capable of setting at theauthentication center or the authentication center is capable of settingautomatically by default that the specific terminal must login theuser's APID at the specific service party through the authenticationcenter or the specific terminal is capable of logining the user's APIDat the specific service party only when the user has logined the user'sAUID at the authentication center by the authentication program.

A system or method for authentication center includes an authenticationcenter, service parties, users and terminals, and the terminal isconnected with the authentication center and the service party through anetwork and is capable of communicating with either, where the user hasthe user account AUID at the authentication center, and the user has theuser account APID at the service party, and the user is capable of usingthe terminal to establish the independent connection with theauthentication center and the service party respectively, and the useris capable of logining the AUID and the APID through the independentconnections, where the authentication center stores the correspondingrelationships between the AUID of a user and the user's APIDs at thedifferent service parties, where a user is capable of setting at theauthentication center to permit or forbid the specific terminal to usethe specific function of the specific service party.

A system or method for authentication center includes an authenticationcenter, service parties, users and terminals, and the terminal isconnected with the authentication center and the service party through anetwork and is capable of communicating with either, where the user hasthe user account AUID at the authentication center, and the user has theuser account APID at the service party, and the user is capable of usingthe terminal to establish the independent connection with theauthentication center and the service party respectively, and the useris capable of logining the AUID and the APID through the independentconnections, where the authentication center stores the correspondingrelationships between the AUID of a user and the user's APIDs at thedifferent service parties, where the service party sends the statuses ofthe logins or the sessions by which the different programs used by auser enter the user's APID at the service party to the authenticationcenter, where after a user logins the AUID at the authentication centerby using the current terminal the authentication center is capable ofsending the statuses of the logins or the sessions by which thedifferent programs used by the user enter the user's APIDs at differentservice parties to the current terminal used by the user, where on thecurrent terminal's interface which has logined the user's AUID at theauthentication center the user is capable of changing or stopping ordisabling the statuses of the logins or the sessions by which thedifferent programs used by the user enter the user's APIDs at differentservice parties.

A system or method for authentication center includes an authenticationcenter, service parties, users and terminals, and the terminal isconnected with the authentication center and the service party through anetwork and is capable of communicating with either, where the user hasthe user account AUID at the authentication center, and the user has theuser account APID at the service party, and the user is capable of usingthe terminal to establish the independent connection with theauthentication center and the service party respectively, and the useris capable of logining the AUID and the APID through the independentconnections, where the authentication center stores the correspondingrelationships between the AUID of a user and the user's APIDs at thedifferent service parties, where after a user logins the AUID at theauthentication center by using the current terminal the authenticationcenter is capable of sending the statuses of the logins or the sessionsby which the different programs on the different terminals used by theuser enter the user's APIDs at different service parties to the currentterminal used by the user, where on the current terminal's interfacewhich has logined the user's AUID at the authentication center the useris capable of changing or stopping or disabling the statuses of thelogins or the sessions by which the different programs on the differentterminals used by the user enter the user's APIDs at different serviceparties.

A system or method for authentication center includes an authenticationcenter, service parties, users and terminals, and the terminal isconnected with the authentication center and the service party through anetwork and is capable of communicating with either, where the user hasthe user account AUID at the authentication center, and the user has theuser account APID at the service party, and the user is capable of usingthe terminal to establish the independent connection with theauthentication center and the service party respectively, and the useris capable of logining the AUID and the APID through the independentconnections, where the authentication center stores the correspondingrelationships between the AUID of a user and the user's APIDs at thedifferent service parties, where a user is capable of setting at theauthentication center to permit or forbid the specific program on thespecific terminal or the specific program to login the user's APID atthe specific service party.

A system or method for authentication center includes an authenticationcenter, service parties, users and terminals, and the terminal isconnected with the authentication center and the service party through anetwork and is capable of communicating with either, where the user hasthe user account AUID at the authentication center, and the user has theuser account APID at the service party, and the user is capable of usingthe terminal to establish the independent connection with theauthentication center and the service party respectively, and the useris capable of logining the AUID and the APID through the independentconnections, where the authentication center stores the correspondingrelationships between the AUID of a user and the user's APIDs at thedifferent service parties, where a user is capable of setting at theauthentication center to forbid the specific program on the specificterminal or the specific program which is not registered in theauthentication center or not associated with the user's AUID at theauthentication center to login the user's APID at the specific serviceparty or the user's APIDs at all service parties.

A system or method for authentication center includes an authenticationcenter, service parties, users and terminals, and the terminal isconnected with the authentication center and the service party through anetwork and is capable of communicating with either, where the user hasthe user account AUID at the authentication center, and the user has theuser account APID at the service party, and the user is capable of usingthe terminal to establish the independent connection with theauthentication center and the service party respectively, and the useris capable of logining the AUID and the APID through the independentconnections, where the authentication center stores the correspondingrelationships between the AUID of a user and the user's APIDs at thedifferent service parties, where a user is capable of setting at theauthentication center or the authentication center is capable of settingautomatically by default that the specific program on the specificterminal or the specific program must login the user's APID at thespecific service party through the authentication center or is capableof logining the user's APID at the specific service party only when theuser has logined the user's AUID at the authentication center by theauthentication program.

A system or method for authentication center includes an authenticationcenter, service parties, users and terminals, and the terminal isconnected with the authentication center and the service party through anetwork and is capable of communicating with either, where the user hasthe user account AUID at the authentication center, and the user has theuser account APID at the service party, and the user is capable of usingthe terminal to establish the independent connection with theauthentication center and the service party respectively, and the useris capable of logining the AUID and the APID through the independentconnections, where the authentication center stores the correspondingrelationships between the AUID of a user and the user's APIDs at thedifferent service parties, where a user is capable of setting at theauthentication center to permit or forbid the specific program on thespecific terminal or the specific program to use the specific functionof the specific service party.

A user is capable of logining the same service party by using differentterminals.

A user is capable of logining the same authentication center by usingdifferent terminals.

A user is capable of logining the same service party by using differentprograms or by using different programs on different terminals.

A user is capable of logining the same authentication center by usingdifferent programs or by using different programs on differentterminals.

After a user logins the AUID of the authentication center by using thecurrent terminal the authentication center is capable of sending thestatuses of the logins or the sessions by which the different terminalsused by the user enter the user's APIDs at different service parties tothe current terminal used by the user. On the current terminal'sinterface which has logined the user's AUID at the authentication centerthe user is capable of changing or stopping or disabling the statuses ofthe logins or the sessions by which the different terminals used by theuser enter the user's APIDs at different service parties.

A user is capable of setting at the authentication center to permit orforbid the specific terminal to login the user's APID at the specificservice party. And the specific terminal may be the terminal notregistered at the authentication center or the terminal not associatedwith the user's AUID at the authentication center or the terminal of aspecific type or a specific terminal or all terminals. When a userlogins the APID at the service party by using a terminal the serviceparty sends the “terminal identification information” to theauthentication center and then the authentication center returns theconfirmation which permits or forbids the login, or a user must loginthe user's APID at the service party by logining the authenticationcenter first and then the authentication center decides directly if thelogin by which the user's terminal enters the service party ispermitted. For example: a user is capable of setting at theauthentication center to permit or forbid the mobile terminal to loginthe user's account at the payment platform.

A user is capable of setting at the authentication center to forbid theterminal which is not registered in the authentication center or notassociated with the user's AUID at the authentication center to loginthe user's APID at the specific service party or the user's APIDs at allservice parties.

A user is capable of setting at the authentication center or theauthentication center is capable of setting automatically by defaultthat the specific terminal must login the user's APID at the specificservice party through the authentication center or the specific terminalis capable of logining the user's APID only when the user has loginedthe user's AUID by the authentication program. And the specific terminalmay be the terminal not registered at the authentication center or theterminal not associated with the user's AUID at the authenticationcenter or the terminal of a specific type or a specific terminal or allterminals. For example: when a user logins the user's APID at theservice party by using the specific terminal the specific terminal mustrequest and get the authentication certificate for this login, and thenthe specific terminal transfers the authentication certificate to theservice party, and only after the service party verifies that theauthentication certificate is correct the service party will permit thespecific terminal to login the user's APID.

A user is capable of setting at the authentication center to permit orforbid the specific terminal to use the specific function of thespecific service party. And the specific terminal may be the terminalnot registered at the authentication center or the terminal notassociated with the user's AUID at the authentication center or theterminal of a specific type or a specific terminal or all terminals. Forexample, a user is capable of setting at the authentication center toforbid the mobile terminal to pay or transfer accounts through theuser's account at a third-party payment platform.

The service party sends the statuses of the logins or the sessions bywhich the different programs used by a user enter the user's APIDs atthe service party to the authentication center. And after a user loginsthe AUID at the authentication center by using the current terminal theauthentication center is capable of sending the statuses of the loginsor the sessions by which the different programs used by the user enterthe user's APIDs at different service parties to the current terminalused by the user. And on the current terminal's interface which haslogined the user's AUID at the authentication center the user is capableof changing or stopping or disabling the statuses of the logins or thesessions by which the different programs used by the user enter theuser's APIDs at different service parties.

The service party sends the statuses of the logins or the sessions bywhich the different programs on the different terminals used by a userenter the user's APIDs at the service party to the authenticationcenter. And after a user logins the AUID of the authentication center byusing the current terminal the authentication center sends the statusesof the logins or the sessions by which the different programs on thedifferent terminals used by the user enter the user's APIDs at differentservice parties to the current terminal used by the user. And on thecurrent terminal's interface which has logined the user's AUID at theauthentication center the user is capable of changing or stopping ordisabling the statuses of the logins or the sessions by which thedifferent programs on the different terminals used by the user enter theuser's APIDs at different service parties.

A user is capable of setting at the authentication center to permit orforbid the specific program on the specific terminal or the specificprogram to login the user's APID at the specific service party.

A user is capable of setting at the authentication center to forbid thespecific program on the specific terminal or the specific program whichis not registered in the authentication center or not associated withthe user's AUID at the authentication center to login the user's APID atthe specific service party or the user's APIDs at all service parties.

A user is capable of setting at the authentication center or theauthentication center is capable of setting automatically by defaultthat the specific program on the specific terminal or the specificprogram must login the user's APID at the specific service party throughthe authentication center or is capable of logining the user's APID atthe specific service party only when the user has logined the user'sAUID at the authentication center by the authentication program.

A user is capable of setting at the authentication center to permit orforbid the specific program on the specific terminal or the specificprogram to use the specific function of the specific service party.

The program in this invention is a functional software, for example: abrowser or an application program or a special program.

When a user logins the user's APID at the specific service party or theuser's APIDs at all service parties by using the terminal not registeredat the authentication center or by using the terminal not associatedwith the user's AUID at the authentication center, authentication centersends the request for the confirmation to the user, and the terminal iscapable of logining the user's APID only after the user send theconfirmation to the authentication center.

The status of the login or the session sent by the service party to theauthentication center includes the “terminal identification information”corresponding to the terminal. And “corresponding to the terminal”refers to corresponding respectively to the different terminals used bythe user.

The status of the login or the session sent by the service party to theauthentication center includes the “program identification information”corresponding to the specific program on the terminal. And“corresponding to the specific program on the terminal” refers tocorresponding respectively to the different programs on the differentterminals used by the user.

The authentication center stores the “terminal identificationinformation” or the “terminal authentication center identificationinformation” or both. And the authentication center is capable ofgetting the “terminal identification information” of a terminal from the“terminal authentication center identification information” of theterminal. And the authentication center is capable of getting the“terminal authentication center identification information” of aterminal from the “terminal identification information” of the terminal.And a terminal is registered at the authentication center if theauthentication center stores the “terminal identification information”or the “terminal authentication center identification information” ofthe terminal. And a terminal is associated with a user's AUID at theauthentication center if the terminal's “terminal identificationinformation” or “terminal authentication center identificationinformation” stored by the authentication center is associated with theuser's AUID.

The “terminal identification information” or the “terminalauthentication center identification information” includes or isaccompanied with the “program identification information” by which todistinguish the different programs on the terminal. And a user (directlyor through the authentication center) or the authentication center iscapable of identifying the specific program which the user uses on theterminal to login the user's APID at the service party.

The specific program which a user uses on the terminal to login theuser's APID at the service party stores the “program identificationinformation”.

The authentication program which a user uses on the terminal to loginthe user's AUID at the authentication center stores the “programidentification information”.

A user uses the authentication program to login the user's AUID at theauthentication center. And the authentication program on the terminalstores the “terminal identification information” of the terminal.

A user uses the authentication program to login the user's AUID at theauthentication center. And the authentication program on the terminalstores the “program identification information” of the specific programwhich the user uses to login the user's APID at the service party.

The specific program which a user uses on the terminal to login the APIDat the service party stores the “program identification information” ofthe specific program of the terminal. And when the user uses thespecific program of the terminal to login the service party the specificprogram sends the “program identification information” to the serviceparty.

The statuses of the logins or the sessions which the authenticationcenter sends to the current terminal which the user is using includesthe “terminal identification information” corresponding to the differentterminals used by the user or the “terminal authentication centeridentification information” corresponding to the different terminalsused by the user or both.

The terminal used by the user stores at least one of the “terminalidentification information” or the “terminal authentication centeridentification information”. And the authentication center is capable ofgetting the “terminal identification information” of a terminal from the“terminal authentication center identification information” of theterminal. And the authentication center is capable of getting the“terminal authentication center identification information” of aterminal from the “terminal identification information” of the terminal.

The terminal used by a user stores at least one of the “terminalidentification information” or the “terminal service partyidentification information”. And the service party is capable of gettingthe “terminal identification information” of a terminal from the“terminal service party identification information” of the terminal. Andthe service party is capable of getting the “terminal service partyidentification information” of a terminal from the “terminalidentification information” of the terminal.

The different terminals used by a user have different “terminalidentification information” or different “terminal authentication centeridentification information” or different “terminal service partyidentification information”. And the different terminals used by a userhave different “terminal identification information”. And the differentterminals used by a user have different “terminal authentication centeridentification information”. And the different terminals used by a userhave different “terminal service party identification information”. Andthe “different” refers to different from each other or not the same one.

The service party is capable of distinguishing the different terminalswhich a user uses by the “terminal identification information” or the“terminal service party identification information”.

The authentication center is capable of distinguishing the differentterminals which a user uses by the “terminal identification information”or the “terminal authentication center identification information”.

A user is capable of distinguishing the different terminals which theuser uses himself by the “terminal identification information” or the“terminal authentication center identification information” or the“terminal service party identification information”.

The same terminal used by the same user has the same “terminalidentification information” or the same “terminal authentication centeridentification information” or the same “terminal service partyidentification information”.

There are the corresponding agreed algorithm or the secret key pairsbetween the service party and the authentication center or between theauthentication center and the terminal used by the user or between theservice party and the terminal used by the user. And the “terminalidentification information” or the “terminal authentication centeridentification information” or the “terminal service partyidentification information” is transferred by the agreed algorithm orthe secret key pairs. And the secret key pairs are symmetric encryptionor asymmetric encryption. The service party and the authenticationcenter, or the authentication center and the terminal used by the user,or the service party and the terminal used by the user respectively havethe agreed algorithm or a part of the agreed algorithm or the symmetricencryption key or one of the asymmetric encryption key pairs, and bothare capable of calculating respectively based on the agreed algorithm orthe secret key pairs while transferring the “terminal identificationinformation” or the “terminal authentication center identificationinformation” or the “terminal service party identification information”.For example: the user's terminal has a private key, and the serviceparty has the public key corresponding to the private key, and theuser's terminal encrypts the “terminal identification information” orthe “terminal service party identification information” by the privatekey and sends the encryption information to the service party, and theservice party decrypts the encryption information by the public key toget the “terminal identification information” or the “terminal serviceparty identification information”. For another example: the user'sterminal has a private key, and the service party has the public keycorresponding to the private key, and the user's terminal encrypts the“terminal identification information” by the private key and sends theencryption information to the service party, and the service party putthe encryption information into the status of the login to send togetherto the authentication center, and the authentication center decrypts itby the public key to get the “terminal identification information”.

Each time a user uses a terminal to reconnect and login the serviceparty, the terminal sends the “terminal identification information” ofthe terminal or the “terminal service party identification information”of the terminal to the service party. And the service party is capableof getting the “terminal identification information” of the terminalfrom the “terminal service party identification information” of theterminal. And the connection refers to generalized connection, whichincludes the connection based on the identification information and theconnection based on the network addresses, for example: the conversationconnection based on the identification information and the TCPconnection based on the network addresses. Or the connection may referto the connection based on the network addresses mapping, for example:the connection based on TCP or IP addresses. And the service partystores the “terminal service party identification information” of theterminal. And the “terminal identification information” may be stored onthe terminal, or be transferred from the authentication center to theterminal and then be transferred from the terminal to the service party,or be input into the terminal by the user. And the “terminalidentification information” or the “terminal service partyidentification information” may be set by the user or be generated bythe authentication center or be the feature information of the terminalitself.

The “terminal identification information” or the “terminal service partyidentification information” sent from the user's terminal to the serviceparty may be stored at the user's terminal or be sent to the user'sterminal by the authentication center. For example: the user's terminaland the authentication center both are capable of only storing the“terminal authentication center identification information” (which isgenerated by the authentication center and sent to the user's terminalwhen the user logins the authentication center), and after the userlogins the authentication center by using the terminal theauthentication center gets the “terminal authentication centeridentification information” of the terminal of the user, and when theuser logins the service party by using the terminal the service partyinforms the authentication center, and the authentication centergenerates a “terminal identification information” for the terminal andsends it to the terminal, and the terminal of the user sends the“terminal identification information” and the login request together tothe service party, and the service party sends the “terminalidentification information” together to the authentication center whilesending the status of the login or the session to the authenticationcenter, and The authentication center is capable of distinguishing bythe “terminal identification information” the specific terminal to whichthe status of the login or the session corresponds. For another example:the user's terminal and the service party both have the “terminalservice party identification information” (Supposing that it's generatedand distributed by the user's terminal), and the user's terminal, theservice party and the authentication center all have the “terminalidentification information” (Supposing it's generated and distributed bythe authentication center), and the user sends the “terminal serviceparty identification information” to the service party when the userlogins the service party, and the service party gets the corresponding“terminal identification information” according to the “terminal serviceparty identification information”, and the service party sends the“terminal identification information” to the authentication center.

After a user logins the user's APID at the service party by using aterminal the service party stores correspondingly the status of thelogin or the session by which the terminal enters the user's APID andthe “terminal identification information” or the “terminal service partyidentification information” of the terminal. And the service party iscapable of getting the “terminal identification information” or the“terminal service party identification information” of the terminalaccording to the status of the login or the session of the terminal. Forexample: the service party stores the status of the login of theterminal by means of the conversation secret key, and the service partystores the “terminal identification information” of the terminal and theconversation secret key of the terminal correspondingly.

Each time a user uses a terminal to reconnect and login theauthentication center the terminal sends the “terminal identificationinformation” of the terminal or the “terminal authentication centeridentification information” of the terminal to the authenticationcenter. And the authentication center is capable of getting the“terminal identification information” of the terminal from the “terminalauthentication center identification information” of the terminal. Andthe connection refers to generalized connection, which including theconnection based on the identification information and the connectionbased on the network address, for example: the conversation connectionbased on the identification information and the TCP connection based onthe network addresses. And the connection refers to the connection basedon network addresses mapping, for example: the connection based on theTCP or IP addresses.

The “terminal identification information” or the “terminalauthentication center identification information” includes the “terminaluser identification information” set by the user for the terminal, orthere is the “terminal user identification information” set by the userfor the terminal corresponding to the “terminal identificationinformation” or the “terminal authentication center identificationinformation”. For example: at the interface which has logined theauthentication center the user is capable of setting the “terminal useridentification information” for the terminal, such as “my mobile phone”,“my office computer”, “my home computer”. And the “terminal useridentification information” may be the “terminal identificationinformation” or a part of the “terminal identification information”,also may be the information stored at the authentication center andcorresponding to the “terminal identification information” orcorresponding to the “terminal authentication center identificationinformation”

When the status of the login or the session by which the terminal entersa user's APID at the service party is invalid, it's only after the userinputs the user verification information into the terminal, or after theuser passes the identity authentication by using the verificationdevice, or after the user passes the indirect authentication of thethird party on the terminal, that the terminal is capable of loginingthe user's APID at the service party, and then the status of the loginor the session by which the terminal enters the user's APID at theservice party is capable of changing to be valid.

When the status of the login or the session by which the terminal entersa user's AUID at the authentication center is invalid, it's only afterthe user inputs the user verification information into the terminal, orafter the user passes the identity authentication by using theverification device, or after the user passes the indirectauthentication of the third party on the terminal, that the terminal iscapable of logining the user's AUID at the authentication center, andthen the status of the login or the session by which the terminal entersthe user's AUID at the authentication center is capable of changing tobe valid.

When the status of the login or the session by which the terminal entersa user's APID at the service party is invalid and the status of thelogin or the session by which the terminal enters the third party isinvalid too, it's only after the user inputs the user verificationinformation into the terminal or after the user passes the identityauthentication by using the verification device that the status of thelogin or the session by which the terminal enters the user's APID at theservice party is capable of changing to be valid, in which the “pass theidentity authentication” refers to that the user passes the identityauthentication of the service party or the third party by using theterminal.

When the status of the login or the session by which the terminal entersa user's AUID at the authentication center is invalid and the status ofthe login or the session by which the terminal enters the third party isinvalid too, it's only after the user inputs the user verificationinformation into the terminal or after the user passes the identityauthentication by using the verification device that the status of thelogin or the session by which the terminal enters the user's AUID at theauthentication center is capable of changing to be valid, in which the“pass the identity authentication” refers to that the user passes theidentity authentication of the authentication or the third party byusing the terminal.

The user verification information or the user verification device is theinformation or the device uniquely owned by the user and by which theuser is capable of passing the identity authentication on the differentterminals. The “inputting the user verification information into theterminal” refers to inputting into the terminal by the input device ofthe terminal or by other device.

The user verification device is portable external device.

That the user inputs the user verification information into the terminalor that the user uses the user verification device refers to that theuser inputs the user verification information manually or that the useruses the user verification device manually.

The means of inputting the user verification information or the means ofusing user verification device include username/password, returning codeor agreed code, user biological characteristics, portable external ICcard, and scanning two-dimensional code by mobile phone. Andusername/password, returning code, agreed code, and user biologicalcharacteristics are the user verification information. And mobile phoneand portable external IC card are the user verification device. And thereturning code is the means that the authentication center or theservice party returns a confirmation code to the specific terminal ofthe user and the user inputs it into the current terminal to pass theidentity authentication of the authentication center or the serviceparty. And the agreed code may be paper-based or electronic dynamicpassword and the user must input the agreed code of designated sequencenumber or input the dynamic password displayed currently to pass theauthentication. And the user biological characteristics is the meansthat user uses his own biological characteristics to pass the identityauthentication, for example, the fingerprint of the user. And theportable external IC card is the means of USB key and the user mustconnect the IC (USB key) to the peripheral interface (USB interface) ofthe terminal to pass the authentication. And the scanningtwo-dimensional code by mobile phone refers to the means that the useruses the camera of the mobile phone to scan the two-dimensional code forlogin displayed by a terminal displayer and then the mobile phone sendsthe information of the two-dimensional code to the party which islogined or to the third party assisting the login, in which the partywhich is logined permits the terminal of the user to login thecorresponding user account of the party which is logined if the partywhich is logined or the third party confirms that the information of thetwo-dimensional code is correct, in which the third party will notifythe party which is logined after the third party confirms that theinformation of the two-dimensional code is correct.

If the status of the login or the session by which the terminal entersthe user's APID at the service party is valid, the terminal is capableof logining or entering the user's APID as the service party with noneed for that the user inputs the user verification information into theterminal and no need for that the user uses user verification device topass identity authentication and no need for that user passes theindirect authentication on the terminal.

If the status of the login or the session by which the terminal entersthe user's AUID at the authentication center is valid, the terminal iscapable of logining or entering the user's AUID as the authenticationcenter with no need for that the user inputs the user verificationinformation into the terminal and no need for that the user uses userverification device to pass identity authentication and no need for thatuser passes the indirect authentication on the terminal.

If the status of the login or the session by which the terminal entersthe user's APID at the service party or enters the user's AUID at theauthentication center is invalid, the terminal is capable of logining orentering the user's APID at the service party or the user's AUID at theauthentication center only after that the user passes identityauthentication on the terminal by inputting the user verificationinformation or using the user verification device or passes the indirectauthentication on the terminal.

When a user uses the terminal to login the service party, the thirdparty refers to another party different from the terminal and theservice party on the network. When the terminal logins the service partythrough the indirect authentication of the third party, theauthentication center may be the third party which provides the indirectauthentication of the third party.

When a user logins the authentication center by using the terminal, thethird party refers to another party different from the terminal and theauthentication center on the network.

Before a user passes the indirect authentication of the third party tologin the service party or the authentication center, the user haspassed the identity authentication of the third party on the terminal byinputting the user verification information or using the userverification device. And in the procedure the terminal logins theservice party or the authentication center through the indirectauthentication of the third party, the user doesn't need to perform theauthentication of the third party on the terminal by inputting the userverification information or using the user verification device. And thethird party is the third party or intermediary party which provides theindirect authentication of the third party on internet.

After a user logins the user's AUID at the authentication center byusing a terminal and makes the status of the login or the session bywhich the terminal enters the AUID from invalid to valid the serviceparty sends the statuses of the logins or the sessions to theauthentication center. When a user logins the user's AUID at theauthentication center by using a terminal the authentication centersends the requests for refreshing the statuses to the service partieswhich the AUID's corresponding APIDs of the user are at and then theservice party received the request for refreshing the statuses sends thestatuses of the logins or the sessions by which the different terminalsused by the user enter the user's APID at the service party to theauthentication center. And the service parties which the AUID'scorresponding APIDs are at may be the service parties which the AUID'scorresponding APIDs are at, and may also be the service party of thespecific APID specified by the user.

When a user requests for refreshing the information of the statuses inthe interface which has logined the authentication center by theterminal used by the user the service party sends the statuses of thelogins or the sessions to the authentication center. When a user loginsthe user's AUID at the authentication center by using the terminal andchooses to request for refreshing the information of the statuses, theauthentication center sends the request for refreshing the statuses tothe service party which the user's AUID's corresponding APID is at, andthen the service party received the request for refreshing the statusessends the statuses of the logins or the sessions by which the differentterminals used by the user enter the user's APID at the service party tothe authentication center. And the service parties which the AUID'scorresponding APIDs are at may be the service parties which the AUID'sall corresponding APIDs are at, and may also be the service party of thespecific APID specified by the user.

When the status of the login or the session by which the terminal usedby the user enters the user's APID at the service party changes, theservice party sends the refreshed status of the login or the session tothe authentication center. When the status of the login or the sessionchanges, the service party sends the refreshed status of the login orthe session to the authentication center only when the status of thelogin or the session by which the user enters the authentication centeris valid.

The status of the login or the session includes at least two statuseswhich are valid status and invalid status. And the valid status mayinclude active status and dormant status. For example: if theconversation secret key of the user's terminal is valid in the validstatus of the login or the session, the status of the login or thesession may be regarded as dormant status when the terminal doesn'tmaintain valid TCP connection with the service party or with theauthentication center or when the terminal doesn't communicate with theservice party or the authentication center in a specific duration, andon the contrary, the status of the login or the session may be regardedas active status when the terminal maintains valid TCP connection withthe service party or with the authentication center or when the terminalcommunicates with the service party or the authentication center in aspecific duration.

In the information which the service party sends to the authenticationcenter there are other information of a user's APID besides the statusesof the logins or the sessions by which the terminals used by the userenter the APID at the service party. And the service party may sendother related information of a user's APID to the authentication centerwhile sending the status of the login or the session to theauthentication center. The service party sends other related informationof a user's APID to the authentication center, when the status of thelogin or the session by which the terminal used by the user enters theuser's APID at the service party changes from invalid to valid, or whenthe user requests refreshing other related information on the interfacewhich has logined in to the authentication center, or when other relatedinformation of the user's APID at the service party changes.

A user may pass the login authentication of the service party throughthe authentication center after logins the authentication center byusing the terminal and login the service party by using the terminalafter passes the login authentication of the service party. And if thestatus of the authentication of the user's terminal at theauthentication center is valid the user may login different serviceparties by one click on the terminal. And that a user logins the serviceparty by passing the indirect authentication with the authenticationcenter as the third party includes two steps, and the first step is thatthe user passes the identity authentication of the authenticationcenter, and the second step is that the user passes the loginauthentication of the service party through the authentication centerand logins the service party. And the first step requires that the useruses the user verification information or the user verification deviceon the terminal, and the second step doesn't need the user verificationinformation or the user verification device.

After a user logins the authentication center by using the currentterminal the list of the user's APIDs at the different service partiesassociated with the authentication center will be displayed on theinterface of the current terminal which the user is using when theinterface has logined the authentication center.

The user logins the authentication center by using an authenticationprogram on the terminal. And the user is capable of setting the statusesof the logins or the sessions on the interface of the authenticationprogram.

The user logins the user's APIDs at different service parties throughthe authentication center by using the authentication program.

The user may login the user's APIDs at different service parties by oneclick on the interface of the authentication program.

The user is not capable of logining the service party through theauthentication program when the authentication program stops running,and only when the user logins the authentication center by using theauthentication program the user is capable of logining the user's APIDat the service party through the authentication program.

The user is capable of using other program which is not theauthentication program to login the user's APID at the service partythrough the authentication program.

If the authentication program on the terminal is running and the statusof the login by which the authentication program enter the user's AUIDat the authentication center maintains valid, the authentication programwill participate in the steps of transferring the “terminalidentification information” of the terminal or the “terminal serviceparty identification information” to the service party when the userlogins the service party.

If the authentication program on the terminal maintains running and thestatus of the login by which the terminal enters the user's AUID at theauthentication center maintains valid, the authentication program willparticipate in the procedure that the user logins the user's APID at theservice party by using the terminal.

The different service parties are independent from each other and don'tshare the account security with each other.

The different service parties are independent from each other and don'tneed to trust each other and have no trust relationship to each other.

The different service parties don't share the account security with eachother.

A same user's APIDs at different service parties are independent fromeach other and don't need to trust each other or be associate with eachother.

There is no mutual membership relation to each other between the serviceparty and the authentication center. And the service party and theauthentication center are the entities operating independentlyrespectively.

The terminal, the service party and the authentication center areconnected by internet. And information transmission between theterminal, the service party and the authentication center is carried outthrough internet.

The authentication center and the service party may be the server or theserver group. And the service party may be internet service providerwhich provides the resources and services to the user on internet, suchas website. And the authentication center is internet operatorspecialized in providing the authentication login service on internet.

The terminal used by the user may be PC, desktop computer, notebookcomputer, tablet computer or smart mobile phone.

The communication path or route of the independent connection which theuser establishes to the service party by using the terminal doesn'tinclude or doesn't pass through the authentication center. Thecommunication path or route of the independent connection which the userestablishes to the authentication center by using the terminal doesn'tinclude or doesn't pass through the service party.

The “terminal identification information” or the “terminalauthentication center identification information” is or includes thefeature information of the terminal itself. And the feature informationmay be generated by the program by which the user logins theauthentication center on the terminal. For example, the featureinformation may be terminal name, serial number, model name and thelike.

The different service parties trust the authentication center, so afterthe user associates the AUID with the APID correspondingly the serviceparty sends the confirmation to the authentication center which permitsthe user to set through the authentication center the status of thelogin or the session by which the terminal used by the user enters theuser's APID at the service party.

The different terminals used by the user include the terminals which theuser used before and the terminals which the user is using currently.And the different terminals refers to multiple terminals which are notthe same terminal obviously. And the configurations and the operatingsystems of the different terminals may be the same or different. And thetypes of the different terminals may be the same or different, forexample: the different terminals may all be PC or include differenttypes of terminals such as PC and mobile phones.

The terminal which the user uses to login the authentication center maybe or not be the terminal which the user uses to login the serviceparty, and vice versa, the terminal which the user uses to login theservice party may be or not be the terminal which the user uses to loginthe authentication center. For example: the user is capable of usingterminal A and terminal B to login the service party, and then the useris capable of using terminal B and terminal C to login theauthentication center.

After a user logins the user's APID at the service party by using theterminal, the terminal is capable of maintaining the valid status of thelogin or the session by which the terminal enters the APID at theservice party. And the valid status of the login or the session by whichthe terminal enters the user's APID at the service party may be setinvalid by the user on the terminal. And the user may set the status ofthe login or the session by which the terminal enters the APID invalidon the interface which has logined the user's APID at the service partyby the terminal. For example: the user may choose to quit the login onthe interface which has logined the service party.

After a user logins the user's AUID at the authentication center byusing the terminal, the terminal is capable of maintaining the validstatus of the login or the session by which the terminal enters the AUIDat the authentication center. And the valid status of the login or thesession by which the terminal enters the user's AUID at theauthentication center may be set invalid by the user on the terminal.And the user may set the status of the login or the session by which theterminal enters the AUID invalid on the interface which has logined theuser's AUID at the authentication center by the terminal. For example:the user may choose to quit the login on the interface which has loginedthe authentication center.

When the user logins the APID at the same service party by using thedifferent terminals, the statuses of the logins or the sessions by whichthe different terminals enter the service party may be valid at the sametime.

The user is capable of setting the “terminal identification information”of the terminal or the “terminal authentication center identificationinformation” of the terminal or the “terminal user identificationinformation” of the terminal at the terminal's interface which haslogined the AUID at the authentication center.

The user uses the program on the terminal to set the “terminalidentification information” or the “terminal service partyidentification information” or the “terminal authentication centeridentification information” or the “terminal user identificationinformation” of the terminal, and when the user logins the service partythe program participates in the steps which sends the “terminalidentification information” of the terminal or the “terminal serviceparty identification information” of the terminal to the service party.

The authentication center stores the corresponding relationships betweena user's AUID at the authentication center and the user's APIDs at thedifferent service parties, and specially it may be: the authenticationcenter stores correspondingly the user's AUID at the authenticationcenter and the user's APIDs at the different service parties. Thecorresponding relationship between the AUID and the APID is associatedby the user at the authentication center or at the service party, andafter the user associates at the service party the service party sendsthe notification of the association or the confirmation of theassociation to the authentication center.

The service party stores the corresponding relationship between theuser's AUID at the authentication center and the user's APID at theservice party too. And after the user associates at the authenticationcenter or at the service party the AUID and the APID, the service partystores the APID and the AUID correspondingly too.

The user is capable of setting at the interface which has logined theAUID at the authentication center the “terminal identificationinformation” or the “terminal authentication center identificationinformation” or the “terminal user identification information” of thedifferent terminals.

The different terminals of a same user connect to the network orinternet independently of each other.

The different users may use the same terminal or the differentterminals. For example: the different users may use the same publicdesktop computer in an internet cafe.

The terminal's interface which has logined the user's AUID at theauthentication center is capable of displaying the specific accountinformation of the user's APIDs at the different service parties, andthe user is capable of changing the specific account information of theuser's APIDs at the different service parties on the terminal'sinterface which has logined the user's AUID at the authenticationcenter.

The specific account information includes the user's contactinformation, and the user's contact information includes the user'smobile number or the user's email address or both. And the user'scontact information may include the user's contact address too.

The specific account information includes the user's head portrait ornickname or both.

The specific account information includes the user's real-nameauthentication information. The user is capable of operating on theterminal's interface which has logined the authentication center totransfer and set the user's own real-name authentication informationpassed at the authentication center to the service party when theservice party and the authentication center permit, or the user iscapable of operating on the terminal's interface which has logined theauthentication center to delete or to invalidate or to delete andinvalidate the user's own real-name authentication information at theservice party when the service party and the authentication centerpermit.

After the user passes the real-name authentication of the authenticationcenter the authentication center maintains the real-name authenticationinformation of the user. And the means that the user passes thereal-name authentication of the authentication center may be the onlineauthentication or the offline authentication.

The real-name authentication information includes the nationalidentification number of the user or the passport number of the user.

The specific account information includes the permission to permit theuser's APID at the service party to pay or to receive the payment or todo both, or includes the permission to permit the user's APID at theservice party to pay or to receive the payment or to do both through theuser's other fund accounts except for the service party, or includesboth the permissions above. And the user's other fund account except forthe service party are the user's account at the bank which is not theservice party or at other institution which is not the service party.

The user is capable of operating on the terminal's interface which haslogined the user's AUID at the authentication center to associate theuser's APID at the service party to the user's other fund accountsexcept for the service party, and to authorize the user's APID at theservice party to pay with the fund of the other fund account or toreceive the payment for the other fund account or to do both.

The user is capable of operating on the terminal's interface which haslogined the user's AUID at the authentication center to cancel orinvalidate the association or the authorization of the user between theuser's APID at the service party and the user's other fund accountexcept for the service party.

The specific account information includes the user's contact address.

The specific account information may include other information of theuser's APID at the service party.

The user is capable of setting at the terminal's interface which haslogined the user's AUID at the authentication center to permit or forbidthe specific service party to get the specific account information fromthe authentication center. And the specific service party may be aspecific service party or a specific type of service parties or allservice parties.

The specific account information set by the user at the authenticationcenter for the service party may be the specific account informationspecifically set for the service party, or may be the unified specificaccount information specifically set for a type of service parties, ormay be the unified specific account information set for all serviceparties, or may be the specific account information set for the user'sAUID at the authentication center.

The service party stores the user's APID's specific account informationin the service party locally, or the service party is capable of gettingthe specific account information which the user set at theauthentication center for the user's APID at the service party when theservice party needs to use the specific account information of the user.

The service party stores the user's APID's specific account informationin the service party locally, and when the user logins theauthentication center and sets at the authentication center to changethe specific account information of the APID the authentication centersends the information about the change of the setting to the serviceparty.

When the service party needs to use the specific account information ofthe user the service party is capable of getting the specific accountinformation from the authentication center which the user sets at theauthentication center for the user's APID at the service party. When theuser is logining the user' APID at the service party or after the userlogins the user's APID at the service party, the service party iscapable of getting the specific account information from theauthentication center which the user sets at the authentication centerfor the service party.

That the user sets or operates at the authentication center refers tothat after the user logins the user's AUID at the authentication centerby using the terminal the user sets or operates on the terminal'sinterface which has logined the AUID at the authentication center.

That the user sets or operates at the authentication center refers tothat after the user logins the user's AUID at the authentication centerby using the authentication program running on the terminal the usersets or operates on the terminal's authentication program's interfacewhich has logined the AUID at the authentication center.

The user uses the authentication program on the terminal to login theauthentication center.

The user sets or operates the authentication center on the terminal'sauthentication program's interface which has logined the AUID at theauthentication center.

The user is capable of operating to choose to login different serviceparties on the terminal's authentication program's interface which haslogined the AUID at the authentication center.

The program which the user uses to login the service party is theauthentication program, or the program which the user uses to login theservice party is not the authentication program. For example: when theauthentication program is a browser, the user is capable of logining theservice party by the same browser. For example: when the authenticationprogram is the special program issued by the authentication center theuser is capable of logining the service party by a new browser opened bythe authentication program.

The user is capable of logining the service party by one click on theterminal's authentication program's interface which has logined the AUIDat the authentication center. For example, the user clicks on a link tothe service party on the authentication program's interface, and thenthe terminal of the user logins the service party directly.

The specific account information of the user's APID at the service partyis displayed on the authentication program's interface which has loginedthe user's AUID at the authentication center, and the user sets at theauthentication program's interface which has logined the user's AUID atthe authentication center to change the user's specific accountinformation at the different service parties.

When the user's terminal or the authentication program stop running, theterminal's or the authentication program's login entering the user'sAUID at the authentication center is invalid too.

When the login by which the user's terminal or the authenticationprogram enters the user's AUID at the authentication center is invalid,the user must input again the user verification information into theterminal or use the verification device on the terminal to pass theidentity authentication and only then the terminal or the authenticationprogram is capable of logining again the user's AUID at theauthentication center. For example: the user's terminal is a mobilephone which opens the operating system's interface by fingerprintidentification, and the user must use the fingerprint to reopen themobile phone's operating system's interface after the mobile phone isshut down, and the mobile phone is capable of logining again the user'sAUID at the authentication center only after the interface of the mobilephone is open, and of course, the mobile phone may need pass otherauthentication or the authentication of the authentication center tologin the user's AUID at the authentication center after the user opensthe interface of the operating system of the mobile phone.

The login is maintained by the conversation based on the conversationinformation of two parties or maintained by the connection based on thenetwork addresses of two parties. For example, the login by which theuser's terminal enters the AUID at the authentication center or thelogin by which the user's terminal enters the APID at the service partymay be based on the connectionless conversation of two parties (such asconversation secret key or Session ID), and may also be the connectionbased on the network addresses (TCPIP addresses) mapping of the twoparties.

After the user registers the AUID at the authentication center the useris capable of associating the user's APIDs at the different serviceparties with the user's AUID at the authentication center, and after theassociation the authentication center stores the correspondingrelationships between the user's AUID and the user's APIDs at thedifferent service parties.

The user is capable of logining the service party without passingthrough the authentication center, or the user is capable of loginingthe service party through the authentication center by using theterminal when the terminal has logined the authentication center. Forexample: the user is capable of using the terminal to login the user'sAPID at the service party directly. For example, the user clicks thelink to the service party on the terminal's interface which has loginedthe authentication center, and the authentication transfers theverification credential to the service party through the user'sterminal, and the credential may be retransmitted by the authenticationprogram or by other programs on the terminal, and at last if the serviceparty confirms that the credential is correct the user's terminal loginsthe user's APID at the service party by the program which retransmitsthe verification credential.

Each time the user logins the service party through the authenticationcenter by using the terminal, the authentication center sends theverification credential to the service party directly or through theuser's terminal.

The verification credential is specifically used for the service partyby the authentication center, and the verification credential is notcapable of being used to login other service parties.

The verification credential is specifically used for the user or theuser's terminal and by the authentication center, and other users orother user's terminals is not capable of using the verificationcredential to login the service party.

The verification credential has the period of validity and the expiredverification credential is invalid.

When the user login the service party through the authentication center,the service party is not capable of pretending to be the user to loginother service parties through the logins by which the user enters theservice party. For example, the verification credential is usedspecifically for the service party by the authentication center, and theservice party is not capable of pretending to be the user to login otherservice parties by using the verification credential received by theservice party.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a network structure diagram of Embodiment 1.

DETAILED DESCRIPTION

The following embodiments may have any step or characteristic applicablein the SUMMARY above besides the following description, or technicalpersonnel in the field may transform or change the following embodimentsaccording to any step or characteristic applicable in the SUMMARY aboveto realize this invention in the way different from followingdescription. The realizations or embodiments of this invention areimpossible to be exhausted in this invention description, but thetechnical personnel in the field may transform or change the schemes ofthis invention according to the SUMMARY above and these schemestransformed or changed obviously belong to the scope which thisinvention description has disclosed or supported.

Embodiment 1

In this embodiment the authentication center is the service provider'sserver(group) which provides login information service on internet. Thisembodiment includes different service parties and these service partiesare the different and independent internet service providers which trustthe authentication center (for example: two independent websites—serviceparty A and service party B). The user uses the different terminals tologin the service party and the different terminals include multipleterminals of different types such as mobile phone, PC, tablet computers,etc (for example: the user may has 2 PCs, 1 mobile phone, 1 tabletcomputer, which are 4 different terminals of 3 types totally).

Firstly, the following Preposed-step is required to be carried out andneeds to be carried out only once.

Preposed-step: the user registers APID-A at the service party A andregisters APID-B at the service party B and registers AUID at theauthentication center, and then the user associates APID-A and APID-B toAUID at the different service parties (A and B) or at the authenticationcenter, and the different service parties (A and B) send the associationnotifications to the authentication center to confirm or theauthentication center sends the association notifications to thedifferent service parties to confirm.

For example: after the user logins the service party A the user sendsthe user's AUID at the authentication center to the service party A; andthe service party A sends the user's APID-A and AUID together as theassociation notification to the authentication center; and if theauthentication center confirms that the AUID exists the authenticationcenter stores APID-A and AUID correspondingly and returns associationconfirmation to the service party A; and after the service party Areceives the association confirmation the service party A stores theAUID and the user's APID-A correspondingly; and the service party Areturns the message of association success to the authentication center.For another example: after the user logins the authentication center byusing the terminal the user inputs the user's APID-B at the serviceparty B, the name of the service party B, and the user's identificationpassword at the service party B into the terminal's interface which haslogined the authentication center to associate; and the authenticationcenter sends the association notification including the user's APID-B atthe service party B, the user's identification password at the serviceparty B and the user's AUID at the authentication center to the serviceparty B; and if the service party B confirms that the identificationpassword is correct the service party B stores the user's APID-B andAUID correspondingly and returns the association confirmation to theauthentication center; after the authentication center receives theassociation confirmation the authentication center stores the user'sAPID-B and AUID correspondingly too; and at last the authenticationcenter sends the message of association success to the service party.

Then the following steps are capable of being carried out.

The first step, the user logins the user's APID at different parties byusing the different terminals or the different programs on the terminalrespectively (for example, PC and mobile phone login the service party Aand B respectively and maintain the valid status of the login). And ifthe user has not made the terminal exit from the login entering theservice party the user is capable of logining the APID at the serviceparty directly with no need for that the user passes the identityauthentication on the terminal by inputting the user verificationinformation or using the user verification device or passes the indirectauthentication of the third party. And the valid status of the login ismaintained by the valid conversation between the terminal (PC, mobilephone) and the service party (A, B), for example: after the user loginsthe service party A by using a PC, the service party A generates aconversation secret key (such as Cookie) to send to the PC; and the PCmay store the conversation secret key in hard disk or other nonvolatilestorage medium; only if the conversation secret key is valid the PC iscapable of logining the APID-A at the service party A directly by meansof the conversation secret key (such as using the browser supportingCookie) with no need for that the user passes the identityauthentication on the terminal by inputting the user verificationinformation or using the user verification device or passes the indirectauthentication of the third party.

The second step, when the user is logining the AUID at theauthentication center by using a terminal or by a terminal'sauthentication program issued by the authentication center, theauthentication center sends the requests for refreshing the statuses ofthe logins to the corresponding service parties associated with the AUID(such as service party A and service party B), and then after thedifferent service parties (such as A and B) receives the requests forrefreshing the statuses of the logins the different service partiesreturn the statuses of the logins by which the different terminals orthe different programs on different terminals which the user used or isusing enter the local side to the authentication center (for example:the statuses of the logins by which the PC, the mobile phone and thedifferent programs on both enter the APID-A at the service party A andthe APID-B at the service party B are all valid currently).

After the user logins the authentication center by using the terminal,the service party sends the status of the login or the session to theauthentication center. And when the user logins the user's AUID at theauthentication center by using the terminal and requests for refreshingthe information of the status, the service party sends the statues ofthe logins or the sessions of the logins. And when the status of thelogin or the session by which the terminal used by the user enters theuser's APID at the service party changes, the service party sends therefreshed status of the login or the session to the authenticationcenter.

After the user logins the authentication center by using the currentterminal the authentication center sends the statuses of the logins bywhich the different terminals used by the user enter the authenticationcenter to the current terminal used by the user.

The third step, authentication center sends the login status received tothe terminal which the user is using and which has logined the AUID orto the authentication program on the terminal. The user is capable ofseeing on the terminal's interface which has logined the authenticationcenter the list of the statues of the logins or the sessions by whichthe different terminals which the user used or is using or the differentprograms on the different terminals enter the user's APIDs at thedifferent service parties.

When the statuses of the logins by which the different terminals used bythe user or the different programs on the different terminals used bythe user enter the different service parties change, the service partysends the changed statuses of the logins to the authentication centerand then the authentication center sends the statues to the user'sterminal, for example: the user may choose to exit the login on themobile phone's interface or the mobile phone's specific program'sinterface which has logined the service party A, and the service party Asends the information of the invalid login status of the user's mobilephone to the authentication center, and then the authentication centersends the invalid login status to the user's current terminal which haslogined the authentication center, and then the user is capable ofseeing the update of the login statuses of the terminals used by theuser in real time. The user may choose on the terminal's interface whichhas logined the authentication center to update the login statuses ofthe specific service party or of the specific terminal or of thespecific program.

The forth step, the user is capable of setting at the interface whichhas logined the authentication center to change or stop or invalidatethe statues of the logins or the sessions by which the differentterminals used by the user or the different programs on the differentterminals used by the user enter the user's APIDs at the differentservice parties. And to change includes to make the status of the loginor session valid or invalid or pause. For example: the interface of thePC or tablet computer used by the user currently has logined the AUID ofthe authentication center, and the user sets on the interface toinvalidate the status of the login by which the mobile or the program onthe mobile enters the APID-A at the service party A, and then theauthentication center sends the invalidation instruction to the serviceparty A, and after the service party A received the invalidationinstruction the service party A deletes or invalidates the conversationsecret key which is generated by the service party A for the user'smobile or the program on the mobile, and then the mobile of the user orthe program is not capable of logining the user's APID-A directly(thelogin status is invalid) when reconnecting to the address of the serviceparty A; and then before the user's mobile phone or the program on themobile phone is capable of logining the APID-A again (the login statusis capable of becoming valid again) the user must pass the identityauthentication of the service party A on the mobile phone by inputtingthe user verification information or using the user verification device.In the same way, the user is capable of setting at the interface whichhas logined the authentication center to set the statuses of the loginsor the sessions by which the PC or the specific programs on the PC enterthe service party A and the service party B.

After the user logins the user's APID at the service party by using aspecific program on the terminal the terminal or the specific programsends the terminal's “terminal identification information” to theservice party, and the “terminal identification information” includes oris accompanied by the “program identification information”. For example:the user logins the user's APID at a service party by using theMicrosoft browser on the PC used by the user, and the browser sends thename “somebody's home PC” set for the PC by the user and the name“Microsoft browser” set for the browser by the user together to theservice party, and then the service party sends the names of the PC andthe browser to the authentication center, and then the authenticationcenter sends the names of the PC and the browser together to theauthentication program which has login the user's AUID at theauthentication center on the user's terminal, and then the user iscapable of seeing the statuses of the logins by which the differentprograms on the different terminals used by the user enter the user'sAPIDs at the different service parties—the user is capable of seeingthat the user logins his own APID at the service party by using the“Microsoft browser” on the PC “somebody's home PC”. And the name of thePC “somebody's home PC” is the “terminal identification information”,and the name of the browser “Microsoft browser” is the “programidentification information”, or the name of the PC and the name of thebrowser together form the “terminal identification information”.

The user is capable of using the authentication program to login theuser's AUID at the authentication center, and the authentication programon the terminal stores the “terminal identification information” of theterminal. The user requests and logins the user's APID at the serviceparty, and the authentication program sends the “terminal identificationinformation” to the specific program by using which the user logins theservice party, and the specific program sends the “terminalidentification information” to the service party.

The user is capable of logining the user's AUID at the authenticationcenter by using the authentication program, and the authenticationprogram on the terminal stores the specific program's “programidentification information” by which the user logins the user's APID atthe service party. The user starts the specific program through theauthentication program which has logined the AUID, and the user uses thespecific program to requests and logins the user's APID at the serviceparty, and the authentication program sends the “program identificationinformation” of the specific program to the specific program by whichthe user logins the service party, and the specific program sends the“program identification information” to the service party. In this case,the “terminal identification information” includes the “programidentification information”.

Or the specific program by which the user uses on the terminal to loginthe service party stores the “program identification information” of theprogram on the terminal, and the specific program sends the “programidentification information” to the service party when the user loginsthe service party by using the specific program of the terminal. In thiscase, the “terminal identification information” may be accompanied bythe “program identification information”, and that is to say, the“program identification information” may accompany the “terminalidentification information” to be sent from the user's terminal to theservice party.

After a user logins the AUID of the authentication center by using thecurrent terminal the authentication center is capable of sending thestatuses of the logins or the sessions by which the different terminalsused by the user enter the user's APIDs at different service parties tothe current terminal used by the user. On the current terminal'sinterface which has logined the user's AUID at the authentication centerthe user is capable of changing or stopping or disabling the statuses ofthe logins or the sessions by which the different terminals used by theuser enter the user's APIDs at different service parties.

A user is capable of setting at the authentication center to permit orforbid the specific terminal to login the user's APID at the specificservice party. And the specific terminal may be the terminal notregistered at the authentication center or the terminal not associatedwith the user's AUID at the authentication center or the terminal of aspecific type or a specific terminal or all terminals. When a userlogins the APID at the service party by using a terminal the serviceparty sends the “terminal identification information” to theauthentication center and then the authentication center returns theconfirmation which permits or forbids the login, or a user must loginthe user's APID at the service party by logining the authenticationcenter first and then the authentication center decides directly if thelogin by which the user's terminal enters the service party ispermitted. For example: a user is capable of setting at theauthentication center to permit or forbid the mobile terminal to loginthe user's account at the payment platform.

A user is capable of setting at the authentication center to forbid theterminal which is not registered in the authentication center or notassociated with the user's AUID at the authentication center to loginthe user's APID at the specific service party or the user's APIDs at allservice parties.

A user is capable of setting at the authentication center or theauthentication center is capable of setting automatically by defaultthat the specific terminal must login the user's APID at the specificservice party through the authentication center or the specific terminalis capable of logining the user's APID only when the user has loginedthe user's AUID by the authentication program. And the specific terminalmay be the terminal not registered at the authentication center or theterminal not associated with the user's AUID at the authenticationcenter or the terminal of a specific type or a specific terminal or allterminals. For example: when a user logins the user's APID at theservice party by using the specific terminal the specific terminal mustrequest and get the authentication certificate for this login, and thenthe specific terminal transfers the authentication credential to theservice party, and only after the service party verifies that theauthentication credential is correct the service party will permit thespecific terminal to login the user's APID.

A user is capable of setting at the authentication center to permit orforbid the specific terminal to use the specific function of thespecific service party. And the specific terminal may be the terminalnot registered at the authentication center or the terminal notassociated with the user's AUID at the authentication center or theterminal of a specific type or a specific terminal or all terminals. Forexample, a user is capable of setting at the authentication center toforbid the mobile terminal to pay or transfer accounts through theuser's account at a third-party payment platform.

After a user logins the AUID at the authentication center by using thecurrent terminal the authentication center is capable of sending thestatuses of the logins or the sessions by which the different programsused by the user enter the user's APIDs at different service parties tothe current terminal used by the user, and on the current terminal'sinterface which has logined the user's AUID at the authentication centerthe user is capable of changing or stopping or disabling the statuses ofthe logins or the sessions by which the different programs used by theuser enter the user's APIDs at different service parties.

After a user logins the AUID at the authentication center by using thecurrent terminal the authentication center is capable of sending thestatuses of the logins or the sessions by which the different programson the different terminals used by the user enter the user's APIDs atdifferent service parties to the current terminal used by the user, andon the current terminal's interface which has logined the user's AUID atthe authentication center the user is capable of changing or stopping ordisabling the statuses of the logins or the sessions by which thedifferent programs on the different terminals used by the user enter theuser's APIDs at different service parties.

A user is capable of setting at the authentication center to permit orforbid the specific program or the specific program on the specificterminal to login the user's APID at the specific service party.

A user is capable of setting at the authentication center to forbid thespecific program on the specific terminal or the specific program whichis not registered in the authentication center or not associated withthe user's AUID at the authentication center to login the user's APID atthe specific service party or the user's APIDs at all service parties.

A user is capable of setting at the authentication center or theauthentication center is capable of setting automatically by defaultthat the specific program on the specific terminal or the specificprogram must login the user's APID at the specific service party throughthe authentication center or is capable of logining the user's APID atthe specific service party only when the user has logined the user'sAUID at the authentication center by the authentication program.

A user is capable of setting at the authentication center to permit orforbid the specific program on the specific terminal or the specificprogram to use the specific function of the specific service party.

The program in this invention is a functional software, for example: abrowser or an application program or a special program.

Each time a user uses a terminal to reconnect and login the serviceparty, the terminal sends the “terminal identification information” ofthe terminal or the “terminal service party identification information”of the terminal to the service party. And the service party is capableof getting the “terminal identification information” of the terminalfrom the “terminal service party identification information” of theterminal. And the connection refers to generalized connection, whichincludes the connection based on the identification information and theconnection based on the network addresses, for example: the conversationconnection based on the identification information and the TCPconnection based on the network addresses. Or the connection may referto the connection based on the network addresses mapping, for example:the connection based on TCP or IP addresses. And the service partystores the “terminal service party identification information” of theterminal. And the “terminal identification information” may be stored onthe terminal, or be transferred from the authentication center to theterminal and then be transferred from the terminal to the service party,or be input into the terminal by the user. And the “terminalidentification information” or the “terminal service partyidentification information” may be set by the user or be generated bythe authentication center or be the feature information of the terminalitself.

The different service parties are independent from each other and don'tneed to trust each other and have no trust relationship to each other,and there is no mutual membership relation to each other between theservice party and the authentication center, and the service party andthe authentication center are the entities operating independentlyrespectively, and the communication path or route of the independentconnection which the user establishes to the service party by using theterminal doesn't include or doesn't pass through the authenticationcenter, and the communication path or route of the independentconnection which the user establishes to the authentication center byusing the terminal doesn't include or doesn't pass through the serviceparty.

The terminal's interface which has logined the user's AUID at theauthentication center is capable of displaying the specific accountinformation of the user's APIDs at the different service parties, andthe user is capable of changing the specific account information of theuser's APIDs at the different service parties on the terminal'sinterface which has logined the user's AUID at the authenticationcenter.

The specific account information includes the user's contactinformation, and the user's contact information includes the user'smobile number or the user's email address or both. And the user'scontact information may include the user's contact address too.

The specific account information includes the user's head portrait ornickname or both.

Embodiment 2

In this embodiment the authentication center is the service provider'sserver (group) which provides login information service on internet. Theservice party A and the service party B are the two independent websiteswhich trust the authentication center, and the user's terminals aremobile phone, PC and tablet computer.

Firstly, the following Preposed-step is required to be carried out andneeds to be carried out only once. And this Preposed-step is thepreposed condition for the subsequent steps.

Preposed-step: the user registers APID-A at the service party A andregisters APID-B at the service party B and registers AUID at theauthentication center, and then the user associates APID-A and APID-Bwith AUID at the service party A and B respectively, and the serviceparty A and B send the association notifications to the authenticationcenter respectively to confirm. For example: after the user logins theservice party A the user sends the user's AUID at the authenticationcenter to the service party A; and the service party A sends the user'sAPID-A and AUID together to the authentication center; and if theauthentication center confirms that the AUID exists the authenticationcenter stores APID-A and AUID correspondingly and returns associationconfirmation to the service party A; and after the service party Areceives the association confirmation the service party A stores theAUID and the user's APID-A correspondingly; and the service party Areturns the message of association success to the authentication center.For another example: after the user logins the authentication center byusing the terminal the user sends the user's APID at the service partyto the authentication center; and the authentication center stores theAPID and the user's AUID correspondingly; and the authentication centersends the notification of the association to the APID's service party;and after the service party receives the notification the service partystores the APID and the user's AUID correspondingly too and returns theassociation confirmation to the authentication center.

The user logins the authentication center by using the mobile phone, PCand tablet computer, and at the first time the user's mobile phone, PCand tablet computer login the authentication center the authenticationcenter generates the “terminal identification code” for the mobilephone, the PC and the tablet computer respectively. The authenticationcenter sends the “terminal identification codes” to the user's mobilephone, PC and tablet computer. The program which is on the user'sterminal and used to login the authentication center stores the“terminal identification code” in the nonvolatile memory (flash memoryor hard disk) of the user's mobile, PC and tablet computer. The user iscapable of setting the “terminal user identification information” afterlogined the authentication center, and the authentication center storescorrespondingly the “terminal user identification information” of aterminal and the “terminal identification information” of the sameterminal.

Then the following steps are capable of being carried out.

The first step. The user logins the APID-A of the service party A byusing the PC and the mobile phone respectively. The PC and the mobilephone maintain the valid statuses of the logins entering the serviceparty A at the same time. The user logins the APID-B of the serviceparty B by using the PC and the mobile phone respectively. The PC andthe mobile phone maintain the valid statuses of the logins entering theservice party B at the same time. If the user has not made the PC andthe mobile phone exit from the logins entering the service party A andthe service party B, when the user opens the addresses of the serviceparty A and B by using the PC and the mobile phone the user is capableof logining the APID-A and APID-B directly with no need for that theuser passes the identity authentication on the terminal by inputting theuser verification information or using the user verification device orpasses the indirect authentication of the third party. The valid statuesof the login are maintained by the conversation between the terminal(PC, mobile phone) and the service party (A, B), for example: after theuser logins the service party A by using the PC the service party Agenerates a conversation secret key to send to the PC, and the PC maystore this conversation secret key in the hard disk or other nonvolatilestorage medium, and if the conversation secret key is valid the PC iscapable of logining the APID-A of the service party A directly by meansof the conversation secret key.

The user's mobile phone and PC sends their own “terminal identificationcodes” to the service party A and the service party B when they arelogining the service party A and the service party B, and the serviceparty A and the service party B stores the “terminal identificationcodes” of the mobile phone and the PC correspondingly with theconversation secret keys together.

The second step. When the user logins the AUID at the authenticationcenter, the authentication center sends the requests for updating thestatuses of the logins entering the AUID's corresponding service parties(service party A and service party B in this embodiment). After theservice party A and the service party B receive the requests forupdating the login statuses the service party A and the service party Breturn the statuses by which the PC and the mobile phone which are usedby the user enter the service party A and the service party B to theauthentication center: the statues of the logins by which the PC and themobile phone enter the APID-A at the service party A and into the APID-Bat the service party B are all valid.

The statuses of the logins which the service party A and the serviceparty B send to the authentication center include the “terminalidentification information” of the user's mobile phone and PC.

The service party A and B send other related information of the user'sAPID to the authentication center.

The third step. The authentication center sends the login statuesreceived to the user's PC or tablet computer which has logined the AUID.The login statues include the “terminal identification information” orthe “terminal user identification information” of the user's mobilephone or PC (if the user has set the “terminal user identificationinformation” in the authentication center before).

And the authentication center sends the statuses of the logins by whichthe different terminals used by the user currently enter the user's AUIDat the authentication center to the PC or tablet computer used by theuser. At the moment the statuses of the logins by which the PC andtablet computer used by the user enter the authentication center arevalid, and the statuses of the logins by which the user's otherterminals enter the authentication center are invalid.

And the authentication center sends the other related information to theuser's current terminal.

The forth step. The user is capable of seeing and set (change or stop orinvalidate) on the interface which has logined the AUID at theauthentication center the statuses of the logins or the sessions bywhich the different terminals used by the user enter the user's APID atthe different service parties. The user is capable of distinguishing thedifferent terminals by the “terminal identification information” or the“terminal user identification information” in the list of the statues ofthe logins. The “change” includes to make the statuses of the logins orthe sessions valid or invalid or pause. For example: the user set at theinterface which is of the PC or the tablet computer currently used bythe user and which has logined the AUID of the authentication center toinvalidate the status of the login by which the mobile phone enter theAPID-A of the service party A, and the authentication center sends theinstruction to the service party A, and the service party A invalidatesor deletes the conversation secret key which the service party Agenerates from the user's mobile phone, and after that the mobile phoneof the user is not capable of entering the APID-A directly (the statusof the login is invalid) when reconnects the address of the serviceparty A, and before the mobile phone of the user is capable ofreentering the APID-A (the status of the login is capable of being validagain) the user must pass the identity authentication of the serviceparty A by inputting the user verification information again or usingthe user verification device again or passing the indirectauthentication of the third party. Similarly the user is capable ofsetting at the interface of the authentication center the statuses ofthe logins by which the PC enters the service party A and B. When thestatuses of the logins by which the different terminals used by the userenter the different service parties change the service parties send thechanged status of the login to the authentication enter, and theauthentication center send it to the user's terminal, for example: theuser may choose to exit the login at mobile phone's interface which haslogined the service party A, and the service party A sends theinformation of the invalidation of the status of the login of the user'smobile phone to the authentication center, and the authentication centersends the information of the invalidation of the status to the user'scurrent terminal which has logined the authentication center, and theuser is capable of seeing the real-time update of the statuses of thelogins of the terminals used by the user. And the user may choose toupdate the statuses of the logins of the specific service party or thespecific terminal at the terminal's interface which has logined theauthentication center.

The user is capable of setting on the terminal's interface which haslogined the authentication center the statuses of the logins by whichthe different terminals enter the authentication center.

Embodiment 3

In this embodiment, the service party passes the third partyauthentication through the authentication center to login the serviceparty. There are a lot of technical schemes of this kind, and thisembodiment is only a typical scheme.

In this embodiment, the authentication center is the server (group) ofthe service provider which provides login information service oninternet, and the service party A and the service party B are the twoindependent websites which trust the authentication center, and theuser's terminals are mobile phone and PC.

Firstly the Preposed-step needs to be carried out, and the Preposed-stepis the preposed condition of the subsequent steps, and the Preposed-stepneeds to be carried out only once and the subsequent steps are capableof being carried out repeatedly.

Preposed-step: the user registers APID-A at the service party A andregisters APID-B at the service party B and registers AUID at theauthentication center, and then the user associates APID-A and APID-B toAUID at the service party A and B respectively, and the service party Aand B send the association notifications to the authentication centerrespectively to confirm. For example: after the user logins the serviceparty A the user sends the user's AUID at the authentication center tothe service party A; and the service party A sends the user's APID-A andAUID together to the authentication center; and if the authenticationcenter confirms that the AUID exists the authentication center storesAPID-A and AUID correspondingly and returns association confirmation tothe service party A; and after the service party A receives theassociation confirmation the service party A stores the AUID and theuser's APID-A correspondingly; and the service party A returns themessage of association success to the authentication center. For anotherexample: after the user logins the authentication center by using theterminal the user sends the user's APID at the service party to theauthentication center; and the authentication center stores the APID andthe user's AUID correspondingly; and the authentication center sends thenotification of the association to the APID's service party; and afterthe service party receives the notification the service party stores theAPID and the user's AUID correspondingly too and returns the associationconfirmation to the authentication center.

The user runs an authentication program on the terminal to connect theauthentication center to register and login. The authentication programmay be the special program released by the authentication center or maybe the browser.

The user logins the authentication center by using the mobile phone andthe PC, and when the user's mobile phone and PC login the authenticationcenter for first time the authentication center generates the “terminalidentification information” for the mobile and the PC respectively (orthe user set at the interface which has logined the authenticationcenter the “terminal identification information”). And theauthentication center sends the “terminal identification codes” to theuser's mobile phone and PC, and the program which is used to login theauthentication center on the user's terminal stores the “terminalidentification codes” in the nonvolatile memory (flash memory of harddisk). The user may also set the “terminal user identificationinformation” of the different terminals after logined the authenticationcenter, and the authentication center stores the “terminal useridentification information” and “terminal identification information”correspondingly.

Then the following steps are capable of being carried out.

The first step, after the user logins the AUID at the authenticationcenter by using the authentication program on the user's PC and mobilephone, the authentication center sends the different service parties'APIDs associated with the AUID to the authentication program.

The authentication center and the authentication program on the terminalstore the “terminal identification information”. After the user loginsthe authentication center by using the authentication program on theterminal the terminal sends the “terminal identification information” tothe authentication center. The authentication center stores the“terminal user identification information” set by the user for theterminal. For example: the user is capable of setting at theauthentication program's interface which has logined the authenticationcenter the “terminal user identification information” (such as “mymobile phone”, “my office computer” and “my home computer”) for thedifferent terminals, and such “terminal user identification information”is stored corresponding to the “terminal identification information” atthe authentication center.

The second step, the user chooses the APID which the user wants to loginin the list of APIDs on the authentication program's interface on theuser's PC or mobile phone, and the user passes the identityauthentication of the service party through the indirect authenticationof the authentication center, and so the user is capable of logining theAPID at different service party by one click. In this embodiment, theauthentication center sends the verification credential to the serviceparty though the authentication program on the terminal, and the serviceparty verifies the verification credential by the means of theauthentication center public key owned by the service party (theauthentication center owns the corresponding secret key) or by the meansof sending the verification credential to the authentication center toverify, and if the verification credential is correct the service partypermits the user's terminal to login the APID. The program which theuser uses to login the APID of the service party is the authenticationprogram or other program. For example: the authentication program isbrowser, and after the authentication program receives the verificationcredential the authentication program sends the verification credentialto the service party in a new page's request for login. For example: theauthentication program is the special program issued by and special forthe authentication center (the special program is not browser), andafter the authentication program receives the verification credentialthe authentication program opens a new page of a browser or start theprogram which is special for the service party, and the authenticationprogram sends the verification credential to the service party torequest for login through the page of the browser or the program whichis special for the service party.

When the user requests for logining into the service party by using theauthentication program, the authentication program sends the credentialtogether with the terminal's “terminal identification information” tothe service party, and the service party stores the “terminalidentification information” together with the conversation secret keycorrespondingly. And the “terminal identification information” is storedon the terminal by the authentication program, or the “terminalidentification information” is the corresponding “terminalidentification information” which is stored and sent by theauthentication center to the authentication program after theauthentication center identifies the terminal.

In this embodiment, the user logins the APID-A at the service party A byusing PC and mobile phone respectively, and the PC and the mobile phonemaintain the valid statues of the logins by which the PC and the mobilephone enter the service party A. The user also logins the APID-B at theservice party B by using PC and mobile phone respectively, and the PCand the mobile phone maintain the valid statues of the logins by whichthe PC and the mobile phone enter the service party B. And if the userdoesn't make the PC and the mobile phone exit the login entering theservice party A and B, the user is capable of logining APID-A and APID-Bdirectly with no need to input the user verification information or touse the user verification device to pass the identity authentication andwith no need to pass the indirect authentication of the authenticationcenter. And the valid login statuses are maintained by the validconversations between the terminals (PC, mobile phone) and the serviceparties (A, B), for example: after the user logins the service party Aby using the PC, and the service party A generates a conversation secretkey and sends it to the PC, and the PC stores the conversation secretkey in the hard disk or other nonvolatile storage medium, and if theconversation secret key is valid the PC is capable of logining theAPID-A at the service party A directly by the means of the conversationsecret key.

The third step, the user is capable of operating on the authenticationprogram's interface on the PC to choose to exit or shut down theauthentication program on the PC to make the authentication program onthe PC exit the login entering the authentication center.

The forth step. The user logins the AUID at the authentication center byusing the authentication program on the PC or the tablet computer, andafter the user the logins the authentication center the authenticationcenter sends the requests for refreshing the login statuses to theservice party A and the service party B, and the service party A and theservice party B send respectively the statuses of the logins by whichthe PC and the mobile phone used by the user enter the service party Aand the service party B to the authentication center, and theauthentication center sends the statuses of the logins by which the PCand the mobile used by the user enter the APIDs at the service party Aand the service party B together with the statuses of the logins bywhich the PC and the mobile phone used by the user enter the AUID at theauthentication center to the authentication program on the terminalwhich the user is using currently, and the user is capable of operatingon the interface of the authentication program to change the statuses ofthe logins by which the PC and the mobile phone used by the user enterthe authentication center. For example, the user may make the statusesof the logins by which the mobile phone enters the service party A andthe service party B invalid, and the user may also make the status ofthe login by which the mobile enter the authentication center invalid,and after that the user is not capable of logining the service party A,the service party B and the authentication center directly with no needfor the user identity authentication or the indirect authentication ofthe third party (the authentication center), and the user must pass theidentity authentication on the mobile or pass the indirectauthentication of the third party on the mobile to make the mobile phoneto login and enter the service party A, the service party B and theauthentication center. In this embodiment, the means by which the userpass the identity authentication of the authentication center may be themeans of username-password, the agreed code input by the user, and theportable external IC card.

The statuses sent by the service party A and B to the authenticationcenter include the “terminal identification information” of the mobilephone and the PC of the user.

The service party A and B send other related information of the user'sAPID to the authentication center, and the authentication center sendsthe other related information to the terminal which the user is usingcurrently.

The user is capable of setting at the authentication center to permit orforbid the specific terminal to login the user's APID at the specificservice party. And the user is capable of setting at the authenticationcenter to forbid the terminal which has not registered in theauthentication center or has not associated with the AUID of theauthentication center to login the user's APID at the specific serviceparty or the user's APIDs at all service parties.

When the user logins the user's APID at the specific service party or atall service parties by using the terminal which is not registered in theauthentication center or not associated with the user's AUID at theauthentication center, the authentication center sends the request forconfirmation to the user, and only after the user confirms to theauthentication center the terminal is capable of logining the user'sAPID.

The user is capable of setting at the authentication center to permit orforbid the specific terminal to use the specific function of thespecific service party. And the specific terminal may be the terminalwhich is not registered in the authentication center or not associatedwith the user's AUID at the authentication center or a specific type ofterminals or a specific terminal. For example, the user is capable ofsetting at the authentication center to forbid the mobile terminal topay or transfer accounts through the user's account at a specificthird-party payment platform. For another example, the user is capableof setting at the authentication center to forbid the terminal which isnot registered as the authentication center or not associated with theuser's AUID at the authentication center to use the functions of thepayment or transfer accounts of the user's APID at the third-partypayment platform.

This invention may form to be a standardized protocol, and theauthentication center, the service party, the user and the terminals mayrealize this invention based on this protocol. And the authenticationcenter may develop the programs or software modules based on thisprotocol to provide to the service party and the user to cooperate torealize this invention.

1. A system for authentication center includes an authentication center,service parties, users and terminals, and is characterized in that theterminal is connected with the authentication center and the serviceparty by a network and is capable of communicating with either, whereinthe terminal, the service party and the authentication center areconnected by internet, wherein the user has the user account AUID at theauthentication center, and the user has the user account APID at theservice party, and the user is capable of using the terminal toestablish the independent connection with the authentication center andthe service party respectively, and the user is capable of logining theAUID and the APID through the independent connections, wherein theauthentication center stores the corresponding relationships between theAUID of a user and the user's APIDs at the different service parties,wherein the service party sends the statuses of the logins or thesessions by which the different terminals used by a user enter theuser's APID at the service party to the authentication center, whereinafter a user logins the AUID at the authentication center by using thecurrent terminal the authentication center is capable of sending thestatuses of the logins or the sessions by which the different terminalsused by the user enter the user's APIDs at different service parties tothe current terminal used by the user, wherein on the current terminal'sinterface which has logined the user's AUID at the authentication centerthe user is capable of seeing and changing or stopping or disabling thestatuses of the logins or the sessions by which the different terminalsused by the user enter the user's APIDs at different service parties. 2.The system for authentication center according to claim 1, characterizedin that a user is capable of setting at the authentication center topermit or forbid the specific terminal to login the user's APID at thespecific service party, wherein the specific terminal may be theterminal not registered at the authentication center or the terminal notassociated with the user's AUID at the authentication center or theterminal of a specific type or a specific terminal or all terminals. 3.The system for authentication center according to claim 1, characterizedin that a user is capable of setting at the authentication center or theauthentication center is capable of setting automatically by defaultthat the specific terminal must login the user's APID at the specificservice party through the authentication center or the specific terminalis capable of logining the user's APID at the specific service partyonly when the user has logined the user's AUID at the authenticationcenter by the authentication program, wherein the specific terminal maybe the terminal not registered at the authentication center or theterminal not associated with the user's AUID at the authenticationcenter or the terminal of a specific type or a specific terminal or allterminals, wherein the user logins the authentication center by using anauthentication program on the terminal and the user is capable ofsetting the statuses of the logins or the sessions on the interface ofthe authentication program.
 4. The system for authentication centeraccording to claim 1, characterized in that a user is capable of settingat the authentication center to permit or forbid the specific terminalto use the specific function of the specific service party, wherein thespecific terminal may be the terminal not registered at theauthentication center or the terminal not associated with the user'sAUID at the authentication center or the terminal of a specific type ora specific terminal or all terminals.
 5. The system for authenticationcenter according to claim 1, characterized in that the user is capableof seeing on the terminal's interface which has logined theauthentication center the list of the statues of the logins or thesessions by which the different terminals which the user used or isusing enter the user's APIDs at the different service parties.
 6. Thesystem for authentication center according to claim 1, characterized inthat when a user logins the APID at the service party by using aterminal the service party sends the “terminal identificationinformation” to the authentication center and then the authenticationcenter returns the confirmation which permits or forbids the login, or auser must login the user's APID at the service party by logining theauthentication center first and then the authentication center decidesdirectly if the login by which the user's terminal enters the serviceparty is permitted.
 7. The system for authentication center according toclaim 1, characterized in that each time a user uses a terminal toreconnect and login the service party, the terminal sends the “terminalidentification information” of the terminal or the “terminal serviceparty identification information” of the terminal to the service party,and the status of the login or the session sent by the service party tothe authentication center includes the “terminal identificationinformation” corresponding to the terminal.
 8. The system forauthentication center according to claim 1, characterized in that theuser logins the authentication center by using an authentication programon the terminal, and the user is capable of setting the statuses of thelogins or the sessions on the interface of the authentication program,and the user is capable of operating to choose to login differentservice parties on the terminal's authentication program's interfacewhich has logined the AUID at the authentication center, and the user iscapable of using other program which is not the authentication programto login the user's APID at the service party through the authenticationprogram.
 9. The system for authentication center according to claim 1,characterized in that when a user logins the user's AUID at theauthentication center by using a terminal the authentication centersends the requests for refreshing the statuses to the service partieswhich the AUID's corresponding APIDs of the user are at and then theservice party received the request for refreshing the statuses sends thestatuses of the logins or the sessions by which the different terminalsused by the user enter the user's APID at the service party to theauthentication center, or when a user requests for refreshing theinformation of the statuses in the interface which has logined theauthentication center by the terminal used by the user the service partysends the statuses of the logins or the sessions to the authenticationcenter.
 10. The system for authentication center according to claim 1,characterized in that the different service parties are independent fromeach other and don't need to trust each other and have no trustrelationship to each other, and there is no mutual membership relationto each other between the service party and the authentication center,and the service party and the authentication center are the entitiesoperating independently respectively, and the communication path orroute of the independent connection which the user establishes to theservice party by using the terminal doesn't include or doesn't passthrough the authentication center, and the communication path or routeof the independent connection which the user establishes to theauthentication center by using the terminal doesn't include or doesn'tpass through the service party.
 11. The system for authentication centeraccording to claim 1, characterized in that the service party sends thestatuses of the logins or the sessions by which the different programson different terminals used by a user or the different programs used bya user enter the user's APID at the service party to the authenticationcenter, wherein after a user logins the AUID at the authenticationcenter by using the current terminal the authentication center iscapable of sending the statuses of the logins or the sessions by whichthe different programs on different terminals used by the user or thedifferent programs used by the user enter the user's APIDs at differentservice parties to the current terminal used by the user, wherein on thecurrent terminal's interface which has logined the user's AUID at theauthentication center the user is capable of changing or stopping ordisabling the statuses of the logins or the sessions by which thedifferent programs on different terminals used by the user or thedifferent programs used by the user enter the user's APIDs at differentservice parties.
 12. The system for authentication center according toclaim 1, characterized in that the terminal's interface which haslogined the user's AUID at the authentication center is capable ofdisplaying the specific account information of the user's APIDs at thedifferent service parties, and the user is capable of changing thespecific account information of the user's APIDs at the differentservice parties on the terminal's interface which has logined the user'sAUID at the authentication center, and the specific account informationincludes the user's head portrait or nickname or both.
 13. A system forauthentication center includes an authentication center, serviceparties, users and terminals, and is characterized in that the terminalis connected with the authentication center and the service partythrough a network and is capable of communicating with either, whereinthe terminal, the service party and the authentication center areconnected by internet, wherein the user has the user account AUID at theauthentication center, and the user has the user account APID at theservice party, and the user is capable of using the terminal toestablish the independent connection with the authentication center andthe service party respectively, and the user is capable of logining theAUID and the APID through the independent connections, wherein theauthentication center stores the corresponding relationships between theAUID of a user and the user's APIDs at the different service parties,wherein a user is capable of setting at the authentication center topermit or forbid the specific terminal to login the user's APID at thespecific service party, wherein the specific terminal may be theterminal not registered at the authentication center or the terminal notassociated with the user's AUID at the authentication center or theterminal of a specific type or a specific terminal or all terminals,wherein the different service parties are independent from each otherand don't need to trust each other and have no trust relationship toeach other, and there is no mutual membership relation to each otherbetween the service party and the authentication center, and the serviceparty and the authentication center are the entities operatingindependently respectively, and the communication path or route of theindependent connection which the user establishes to the service partyby using the terminal doesn't include or doesn't pass through theauthentication center, and the communication path or route of theindependent connection which the user establishes to the authenticationcenter by using the terminal doesn't include or doesn't pass through theservice party.
 14. The system for authentication center according toclaim 13, characterized in that a user is capable of setting at theauthentication center to permit or forbid the specific terminal to usethe specific function of the specific service party.
 15. The system forauthentication center according to claim 13, characterized in that theuser logins the authentication center by using an authentication programon the terminal, and the user is capable of operating to choose to logindifferent service parties on the terminal's authentication program'sinterface which has logined the AUID at the authentication center, andthe user is capable of using other program which is not theauthentication program to login the user's APID at the service partythrough the authentication program.
 16. A system for authenticationcenter includes an authentication center, service parties, users andterminals, and is characterized in that the terminal is connected withthe authentication center and the service party through a network and iscapable of communicating with either, wherein the terminal, the serviceparty and the authentication center are connected by internet, whereinthe user has the user account AUID at the authentication center, and theuser has the user account APID at the service party, and the user iscapable of using the terminal to establish the independent connectionwith the authentication center and the service party respectively, andthe user is capable of logining the AUID and the APID through theindependent connections, wherein the authentication center stores thecorresponding relationships between the AUID of a user and the user'sAPIDs at the different service parties, wherein the service party sendsthe statuses of the logins or the sessions by which the differentprograms on different terminals used by a user or the different programsused by a user enter the user's APID at the service party to theauthentication center, wherein after a user logins the AUID at theauthentication center by using the current terminal the authenticationcenter is capable of sending the statuses of the logins or the sessionsby which the different programs on different terminals used by the useror the different programs used by the user enter the user's APIDs atdifferent service parties to the current terminal used by the user,wherein on the current terminal's interface which has logined the user'sAUID at the authentication center the user is capable of changing orstopping or disabling the statuses of the logins or the sessions bywhich the different programs on different terminals used by the user orthe different programs used by the user enter the user's APIDs atdifferent service parties.
 17. The system for authentication centeraccording to claim 16, characterized in that a user is capable ofsetting at the authentication center to permit or forbid the specificprogram or the specific program on the specific terminal to login theuser's APID at the specific service party.
 18. The system forauthentication center according to claim 16, characterized in that thestatus of the login or the session sent by the service party to theauthentication center includes the “program identification information”corresponding to the specific program on the terminal, or the status ofthe login or the session sent by the service party to the authenticationcenter includes the “terminal identification information” correspondingto the terminal and the “terminal identification information” includesor is accompanied with the “program identification information” by whichto distinguish the different programs on the terminal.
 19. The systemfor authentication center according to claim 16, characterized in thatthe user logins the authentication center by using an authenticationprogram on the terminal, and the user is capable of setting the statusesof the logins or the sessions on the interface of the authenticationprogram, and the user is capable of operating to choose to logindifferent service parties on the terminal's authentication program'sinterface which has logined the AUID at the authentication center, andthe user is capable of using other program which is not theauthentication program to login the user's APID at the service partythrough the authentication program.
 20. The system for authenticationcenter according to claim 16, characterized in that the differentservice parties are independent from each other and don't need to trusteach other and have no trust relationship to each other, and there is nomutual membership relation to each other between the service party andthe authentication center, and the service party and the authenticationcenter are the entities operating independently respectively, and thecommunication path or route of the independent connection which the userestablishes to the service party by using the terminal doesn't includeor doesn't pass through the authentication center, and the communicationpath or route of the independent connection which the user establishesto the authentication center by using the terminal doesn't include ordoesn't pass through the service party.